Bug 127772

Summary:

Javascript function returns incorrect value after being JIT-compiled

Product:

WebKit

Reporter:

Daniel Szabo <szdy12>

Component:

JavaScriptCore

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED WORKSFORME

Severity:

Major

Priority:

Version:

528+ (Nightly build)

Hardware:

iPhone / iPad

OS:

iOS 7.0

Attachments:

Description	Flags
html page with javascript showing errorenous JIT behavior	none

Daniel Szabo

Reported 2014-01-28 04:56:09 PST

Created attachment 222429 [details] html page with javascript showing errorenous JIT behavior See attachment. Javascript function 'calc' will be called in a loop. After several iterations its return value will be zero instead of the reference value. The non-jitted function 'calc2' (which is the exact copy of 'calc') returns still the reference value. Actual result on iPad mini (iOS 7.0.4, Safari/9537.53): after 35 iterations the result value will be constant zero.

Attachments
html page with javascript showing errorenous JIT behavior (1.10 KB, text/html) 2014-01-28 04:56 PST, Daniel Szabo	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Daniel Szabo

Comment 1 2014-10-07 02:59:11 PDT

Seems to be fixed in iOS 8 Safari

Note You need to log in before you can comment on or make changes to this bug.